5 Disciplines of Cloud Governance

Author by Nathan Lasnoski

The best organizations are ones that balance growth mindset in the cloud with effective cloud governance. The growth mindset is the company challenging itself, its previous assumptions, it’s understanding of what the future looks like. The partner is governance that accelerates the transformation while ensuring protection and responsibility. The goal of cloud governance is not to slow down adoption, nor is it to impose traditional IT controls. The goal of cloud governance is to implement important guard rails on the implementation that enables teams to measure once and cut once… because they are using the right tools.

To talk about the five disciplines of cloud governance I’ll turn to the Microsoft Cloud Adoption Framework (CAF) which does a nice job of laying out the things we need to be interested in. They are:

  1. Cost Management
  2. Security Baseline
  3. Resource Consistency
  4. Identity Baseline
  5. Deployment Acceleration

The implementation pattern is that of a Minimum Viable Product (MVP) and evolving from there. The goal is to effectively drive the starting point for these ideas, then iterate on them as they are implemented. See below in the CAF the implementation cadence of a Governance MVP.


Cost Management

The discipline of cost management is perhaps the most critical success factor because a key responsibility of business is to be effective stewards of the resources available to them. This is where controls like tagging, subscriptions, resource groups, owners, application names, etc. are super important. These types of labels and controls define the starting point of any effective cost management strategy. The end goal… is that dollars spent on the cloud directly align to business value attained.

Worse (1) to Better (6):

  1. No cost management
  2. No cost management, initial cloud
  3. Basic cost management
  4. Cloud cost management w/ chargeback
  5. Cost allocation to Business Unit (BU)
  6. Cost allocation to Business Unit (BU) and App

See the diagram below:

Security Baseline

The next discipline is having a security baseline across your cloud environment. The security baseline should not only assess, it should implement controls based on the security policy defined for the organization. This forms the framework for application teams to rapidly adopt and build on the cloud, while not having to reinvent the wheel and continue to have the same security holes time and time again.

Worse (1) to Better (6):

  1. No cloud, no baseline
  2. Cloud, no baseline
  3. Cloud, documented policy
  4. Cloud, implemented policy
  5. Cloud idempotent policy
  6. Cloud idempotent policy + review cycle


Resource Consistency

This can quickly get out of control. By consistent, I don’t mean consistently chaotic… I mean consistently controlled, uniform, and clean. We do this by implementing effective standards for deployment, leveraging techniques like Azure Policy, infrastructure-as-code, and release management. The goal of resource consistency is to make our environment understandable, supportable, and manageable after we’re gone.

Worse (1) to Better (6)

  1. No cloud environment
  2. No labeling, no consistent deployment approach
  3. Requires tags, not consistent in names
  4. Consistent naming framework
  5. Naming framework aligns to service registry
  6. Consistent naming, deployment, and policy

Identity Baseline

If “identity is the new control plane”, then we need to take extra care to ensure it is implemented well, not just half-way. Identity needs a solid process for provisioning, de-provisioning, and protection that is uncommon in most on-premise environments. Driving maturity and improvement here is key to a well managed environment.

Worse (1) to Better (6)

  1. No identity protection, no process for onboarding
  2. Multi-factor auth for risk based sign-in
  3. Multi-factor auth for conditional access (risk + health)
  4. MFA / conditional access + onboarding process
  5. MFA / conditional access + modern desktop + onboarding
  6. MFA / conditional access + modern desktop + onboarding + Azure AD primary

Deployment Acceleration

The goal of deployment acceleration is to slip-stream new workloads into the cloud by making it easier to work within the environment. This doesn’t necessarily mean that deploying workloads is easier the first time, but it does mean that we accelerate deployments on an ongoing basis and optimize deployment and operational consistency by raising the maturity of this process.

Worse (1) to Better (6)

  1. Deployment through a Cloud Management Portal
  2. Deployment through the native portal
  3. Deployment of infrastructure-as-code as a best practice
  4. Deployment of infrastructure-as-code required for production
  5. Deployment of infrastructure and app-as-code
  6. Deployment of code and test-driven release management

Here it is as a graph:

Bring all of these maturity curves together and you start to build an environment that truly accelerates your movement toward an operationalized cloud. Sometimes customers will ask “does it really need to be this complicated?” The more work you do to build an operational app model up front, the less time you spend exponentially after the environment is in place. See you on the flip side!

Nathan Lasnoski

Author

Nathan Lasnoski

Chief Technology Officer